Municipalities Pwned at Greater Rates!
by lg0p89
Municipalities have a very distinct problem.
They are frequently targeted for ransomware and other attacks, as the attackers know their systems generally are not fully secure, unless they've been recently successfully attacked and have corrected and mitigated the issues.
This is driven by budgetary constraints - not allowing the city, county, etc. to be able to hire the exceptional talent, purchase the tools needed in a timely manner, and other requisite uses for cybersecurity. While this is a Catch-22, it leaves these organizations in the wind, hoping to be obscure enough so that they are not noticed and attacked. Even a failed attack can have negative effects on the operations for many reasons.
One of these targeted was the city of Florence, located in Alabama.
Florence, much like the city in Italy, sounds like an amazing place to live, located on the banks of the Tennessee River with many festivals and other attractions. This is not a massive metropolis, with nearly 40,000 residents. Of all the places to target, you have to wonder why Florence?
Attack
As you can guess, the city's computer system had been successfully attacked.
The entry points were through the email system. Specifically, this was a phishing attack, and the unfortunate phishee was Steve Price, the IT manager. His credentials were acquired as part of the attack. The phishing email was one of the many samples of the DHL email, where there are dozens of email recipients, all receiving the same package with the same tracking number on the same day. These emails are pretty obvious as to what they really are intended for.
The illustrious and distinguished Brian Krebs notified the mayor's office of their system's compromise on May 26, 2020.
From the published accounts, the city somehow did not know of the breach prior to this. This is odd, as seemingly someone in the IT department maybe should have noticed a strange IP address accessing the system and pulling data from the network. The following day, the system administrator did contact Mr. Krebs to let him know the computer and network account affected had been isolated and was not in service.
It appeared the sysadmin did not quite understand the capabilities of the attackers at this point. On June 5, 2020, the attackers finished deploying the ransomware and began their demand for the ransom payment. The city had 12 days to fully defend against the attack, however, unfortunately only did a part of the work required to address the issue.
When the city began to review the situation, it did not appear any of the affected system's data had been deleted or exfiltrated. This was probably a little too optimistic for the city.
On a side note, the attack occurred while the IT department was attempting to have the city council approve the expense for a third-party to do a penetration test of the IT systems.
Ransom
The attackers were not going to work through the attack cycle for practice and mental gymnastics.
The system has been operationalized into a business, and a rather profitable one measured by the Return on Investment (ROI).
In this case the attackers were DoppelPaymer. They began the demand for ransom at $378,000 in bitcoin. The amount was negotiated down to $330,000 by a third-party firm, still in bitcoin. This does seem to be a rather large sum, given the size of the city. The attackers, however, have realized the power of their leverage on the systems.
Post-Attack
Once the city had the opportunity for a quick review, their IT department and a third-party, contracted by the city (Arete Advisors), began to adequately investigate the issue.
As time had passed and more effort was placed into the investigation, the city realized the attackers may have at least a portion of the data on the affected systems. The city noted they just didn't know. One would presume they had sufficient access, such that if they wanted, they could have taken the data if they chose to.
On this note, the investigation concluded the attackers had access beginning in early May 2020 and continuing for nearly the remainder of the month. During this time, the attackers had free access to roam about and check out the network. They borrowed without authorization the personal information on the city's employees and customers.
As they saw the writing on the wall, the city council voted unanimously to pay the ransom. The funds were to be paid from the insurance fund available for these types of issues.
A curious point with this is that the city required the attackers, DoppelPaymer, to provide proof they would delete the stolen information they had.
The curiosity is, other than promising or a pinky-swear, there really wasn't a way to prove they would delete the data. This is one of the many problems with paying ransoms. The organization is depending on the attackers to follow through and not leave a backdoor or recurring malware on the system.
Historically, the attackers have followed through and have not left any surprises behind for later easier attacks. They say there is honor among thieves, however, I would not bet on it. The city naturally is also working with law enforcement on the matter.
Afterthought
If you are management, the sysadmin, or on the cybersecurity team, please consider this occurrence or any of the thousands of other successful ransomware attacks as examples of why training and an adequate Security Information and Event Management (SIEM) are so important.
While cybersecurity is the focus of the cybersecurity department or team, it is still everyone's job to be vigilant and not be click-happy.
If they aren't expecting an email, don't know the person or organization it is from, or it simply leaves them wondering if the link or attachment is appropriate, don't do it.
This will save so much time, energy, frustration, etc. for the staff and budget.